Java and Information Assurance

Introduction

What is Java?

The About section of java.com starts with “Java is the foundation for virtually every type of networked application and is the global standard for developing and delivering embedded and mobile applications, games, Web-based content, and enterprise software. With more than 9 million developers worldwide, Java enables you to efficiently develop, deploy and use exciting applications and services.” [1]

The confusion over Java

There has been considerable confusion over what Java really is, especially to end users. Over the years Java naming and version-ing has gone through changes. On the java download page for end users, i.e. users who would use the Java Runtime Environment as a plug-in in their browsers to work with Applets has the following note “Java software for your computer, or the Java Runtime Environment, is also referred to as the Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, Java plug-in, Java plug-in, Java add-on or Java download.” [2]. So it is fair to say the Java naming and version-ing system is not helping clear any confusions.

The developer community when referring to Java also refer to Java as a programming language and the development kit – popularly know as JDK (Java Development Kit) or Java SE (Java Standard Edition). The JDK is a development environment for building applications, applets, and components using the Java programming language [3].

Besides the popular scripting language released by Netscape named JavaScript has nothing to do with Java [50].

Client and Server

It is also essential to understand some basics of enterprise software architecture to be able to clearly understand the topics of discussions in the paper. Note that the description below is an simplified version of real-life application deployed in an enterprise, refer Illustration 1: Simplified Client-Server Architecture.

Illustration 1: Simplified Client-Server Architecture

In the above illustration the user tries to search books on “Baking”. He/she uses a browser (like Internet Explorer, FireFox, Chrome, etc.) installed on his/her computing device (like Laptop) to access a website and search for the book. When the search request is made – it is processed by the server, which pulls up a list of “Baking” books and sends them out to the user who views them in the browser. Here the request is made using the client’s browser and the processing and response generation is performed by some server software running on the server.

It is important to realize that Java could be running on the server in the above Illustration that is responsible for processing the request and sending out the response – but Java could also be used on the client side as a plug-in in the browser running a Java Applet, allowing the user to flip through the first few pages of the book before buying it.

It is worthwhile mentioning that this is not the only scenario or architecture where Java is used – as described in the introduction there are several different types of devices where Java is being used today.

This understanding is essential since most of the high-profile zero-day vulnerability reported in 2013 and those exploited were those that mostly exploited when Java was run as a plug-in in the user’s browser, i.e., Java running on the client’s machine (typically as a Java Applet).

The Programming Language of Choice

Popularity

For over more than a decade Java continues to hold the top spots in the ranking of programming languages on the TIOBE Programming Community Index. In October 2013 Java ranked a close second after C which held the first spot [4].

Why Java?

Listed here are some feature of Java that make it popular in the developer community,

Platform Independence: This is one of the primary reasons for Java’s popularity. Java programs written on one platform can run on several other computing platforms with little or no change. For example a Java program written on Windows can run on Linux/Unix, Mac, Mainframes, and even mobile devices [5].

Object Oriented: Java is an object oriented. Object-oriented programming (OOP) is a programming language model organized around objects rather than “actions” and data rather than logic [6].

Java API: Java comes with massive library of class that provide useful utilities. These libraries are a part of the Java Language itself [5].

Brief history of Java

The History of Java technology states, “In 1991, a small group of Sun engineers called the “Green Team” believed that the next wave in computing was the union of digital consumer devices and computers. Led by James Gosling, the team worked around the clock and created the programming language that would revolutionize our world – Java.” [9].

On April 20th 2009 Oracle took over Sun Microsystems which came as a surprise to the software industry as Sun was in talks with IBM for the takeover [7]. Java SE 7 was the first major Java release under Oracle [8].

Information Assurance and Information Security

Information Assurance is define as “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities” [10]. While Information Security is “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction” [11].

While these 2 terms tend to be used interchangeably [12]; Information Security is necessarily a subset of Information Assurance. Information Security tends to be more Technical and Tactical in nature and is more tool focused like Anti-virus, Firewalls and includes Vulnerability Assessment and Penetration Testing. While Information Assurance includes Information Security, it tends to be more Strategy focused and includes areas like Privacy, Compliance, Business Continuity & Disaster Recovery, etc [13].

The model depicts popularity and investment of a certain technology go hand-in-hand. An increase in popularity will lead to an increase in investment and vice versa. With increased popularity and investment the interest of the Information Security and Hacker communities will rise in the technology and there will be a greater chance of discovering vulnerabilities and developing new safeguards which could be considered – so popularity and investment in a technology will affect Information Security. On the other hand, this changing information security environment (rate and quality of discovery of vulnerabilities) and the ability of the technology to evolve gracefully in the face of change will affect it’s popularity and hence future investment.

Information Security is in essence a subset of a larger set of concerns – information assurance, and hence an information security concern is an information assurance concern. Besides, the level of investment in a given technology decides the need for Information Assurance planning and long terms business continuity planning. The outcome of the business continuity planning effort affect future investment and eventually popularity.

Why Java and Information Assurance?

As described above in sections Popularity and Why Java? it is evident Java is a popular language and platform and is ubiquitous in its presence. It is apparent from section Popularity, Investment, Information Security and Information Assurance – An Interrelationship model, that Java would have a significant impact on Information Assurance (and Information Security). The increase in vulnerabilities being discovered in recent years and the media attention it receives depicts the impact of Popularity and Investment on Information Security explained in the section Java Vulnerabilities. An aspect of the Business Continuity (Information Assurance) of Java as a platform is described in the section Business Continuity and the need for an Alternative.

This is a vast discussion and in the interest of brevity to important aspects that have been receiving a lot of media, business (and government in some cases) attention in recent times have been discussed here. Android and related technologies are out of scope for this paper.

Java Vulnerabilities

Racing up the ladder to infamy

There are several reports that are published each year listing some of the highlighted attacks and discovered zero-day vulnerabilities in that year. Java had featured on many of those reports in 2013. Some of the cases are mentioned below.

The report IT Threat Evolution: Q2 2013, had a section on Bitcoins (Bitcoin madness) and there was one case mentioned where the attacker compromised an legitimate website and an iFrame with a malicious Java Applet that redirected users to Fake MtGox website [14]. Mt.Gox K.K. hosts and operates the leading Bitcoin trading platform, facilitating the exchange of Bitcoins between individuals and businesses internationally. Mt.Gox K.K is one of the oldest and most established Bitcoin businesses in operation today [15].

In the second quarter of 2013 Kaspersky Lab ranked the top 20 attacks launched from online resources – and Java related attacks featured twice in the top 20 list [14].

Java zero-day threats featured in the Top 5 Zero-Day Threats Of 2013 report from CRN [16].

There were other reports that indicated that Java was on top of the list of malware writers, one such report was F-Secure H1 2013 Threat Report. The report has a sub-section dedicated to Java “Java — second most targeted program” according to which, of the top five most targeted vulnerabilities, four are found in the Java development platform, either the Runtime Environment (JRE) or the browser plug-in [17].

Sophos Security Threat Report 2013, reported that Java attacks had reached a critical mass. It reported that in April 2013, 600,000 Mac users found themselves recruited in a Flashback or Flashplayer Botnet, due to a Java vulnerability left unpatched for too long [18]. More than half of the Macs infected were in the United States (57 percent), while another 20 percent are in Canada according to Dr. Web, A Russian antivirus company [19].

CVE-2013-0422

Background

While over the years there have been several Java vulnerabilities discovered; CVE-2013-0422 deserves a special mention. On January 10th 2013, the Department of Homeland Security’s (DHS) Computer Emergency Readiness Team (CERT) warned of a Java zero-day attack and advised users to disable or uninstall Java. Alienvault Labs was able to successfully reproduce and validate the attack. It was one of the rare cases where the US government advised to disable software rather than offer suggestions to mitigate the threat [20].

Days after the announcement, Oracle released a patch on January 13th 2013 to fix the vulnerability CVE-2013-0422. It maintained that while Java SE 7 update 10 and earlier were affected; JDK and JRE versions 6, 5.0, and 1.4.2 were not affected by this vulnerability. It also clarified that Java running on servers was not affected by this vulnerability [21].

However even after the fix was released, DHS continued to recommend users disable Java in the browser [22].

Vulnerability Details

The vulnerability in question was widely published. It was logged as Alert (TA13-010A) – Oracle Java 7 Security Manager Bypass Vulnerability on the US-CERT website. The overview of the alert mentioned “A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.” It further noted in the Description “A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a “drive-by download” attack).” [23]

A more detailed and technical description was provided on CVE website, that explained the use of JMX (Java Management eXtension) or Java Reflection API to exploit this vulnerability [24].

Oracle Java SE Critical Patch Update Advisory – June 2013

CVE-2013-0422 was certainly not the last of the big vulnerabilities found in Java in 2013. In June 2013, Oracle released CPU (Critical Patch Update) which addressed several vulnerabilities. Almost all the vulnerabilities being patched allowed remote code execution without authentication. Interestingly some of these vulnerabilities were exposed by sub-components like “2D” (2D graphics) and AWT (Abstract Window Toolkit – Contains all of the classes for creating user interfaces and for painting graphics and images) [25].

The biggest concern here was that many of the vulnerabilities in question affected older versions of Java which had met their End of Public Updates [26]. One such example is that of CVE-2013-2463, which was a vulnerability in the Java 2D sub-component and allowed Remote Code execution without authentication over the network. The exploit was possible over multiple protocols and was a risk to Confidentiality, Integrity and Availability [25]. The vulnerability affected Java 7 Update 21 and before, Java 6 Update 45 and before, Java 5.0 Update 45 and before. The CVE-2013-2463 has a date of entry of “20130305” (March 5th 2013) on CVE MITRE, which meant vulnerabilities like CVE-2013-2463 was only available in June of 2013 [27].

While not every Java vulnerability received the press attention CVE-2013-0422 received but there was certainly a lot of negative publicity for Java through out the year.

Are zero-day Java attacks the greatest threat?

Apparently, the zero-day Java attacks may not be the greatest danger. PC Mag published an article in March 2013 that about 75% of users use a version of Java at least 6 months out of date [28].

Unfortunately it is difficult for most non-technical users to install and update Java. The troubleshooting page for installing Java has a series of complex steps including checking anti-virus and firewall settings at times [29].

Besides installing a newer version of Java does not uninstall the older version, user may have to manually uninstall older versions of Java. The fact older versions of Java does increase the risk of an attack is on the Java website [30], though the rule of uninstalling unused software is certainly a security best practice and should be followed for all software not just Java.

The next section (An Evil Applet) demonstrates how easy it can be using Signed Java Applet and some social engineering to gain access to the user’s machine.

An Evil Applet

The demo is performed on a Windows Vista PC, and BackTrack Linux 5 in an Oracle Virtual Machine. Using Metasploit on BackTrack Linux 5 (the same can be performed using Kali Linux too). This demonstration expose a Malicious Java Applet, which when accessed by an unsuspecting user manifests an exploit, where the Applet gains control of the session and passes information back to Metasploit.

For this demo the latest and recommended version of Java is used in IE9 (see Illustration 3: An Evil Applet – Using recommended version of Java),

When this above URL is accessed by an unsuspecting user an applet is downloaded and tries to execute (the Java plug-in/browser warns the user that the Applet’s Unknown Publisher) (see Illustration 5: An Evil Applet – Warning before executing the Applet),

Illustration 5: An Evil Applet – Warning before executing the Applet

Assuming the user accepts the risk and chooses to Run the applet, as in the case of this demo, the applet is loaded and effectively grants control to the server component in Metasploit on the BackTrack Linux 5 VM (Illustration 6: Meterpreter gained accesses to user’s session).

Illustration 6: Meterpreter gained accesses to user’s session

Once the session is accessed the attacker can perform actions on the users machine, like for example taking screenshots of the user’s desktop, in the below case the user is playing the card games Hearts and a screenshot of that is taken from the Metasploit meterpreter (by executing the screenshot command) (Illustration 7: An Evil Applet – taking a screenshot of the user’s desktop and Illustration 8: An Evil Applet – Screenshot of the user playing hearts).

Illustration 7: An Evil Applet – taking a screenshot of the user’s desktop

Illustration 8: An Evil Applet – Screenshot of the user playing hearts

The above example demonstrates that there is a good degree of risk even if the user is using the latest and “recommended” version of Java in the browser.

Business Continuity and the need for an Alternative

On the About page of java.com we see how ubiquitous Java is today,

“From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

97% of Enterprise Desktops Run Java

89% of Desktops (or Computers) in the U.S. Run Java

9 Million Java Developers Worldwide

#1 Choice for Developers

#1 Development Platform

3 Billion Mobile Phones Run Java

100% of Blu-ray Disc Players Ship with Java

5 Billion Java Cards in Use

125 million TV devices run Java

5 of the Top 5 Original Equipment Manufacturers Ship Java ME“ [31]

The question is with this degree of global reliance on a programming platform would it be in anyone’s interest to have the platform controlled by a monopoly? Or managed by laws of one nation?

The answers to the above questions are obvious. This is a serious business continuity issue. What if you belong to an organization which is in a legal battle with Oracle? What if you are a student or a business owner in a country that has sanctions from the U.S. Government [35]? What if Oracle would have decided not to take Java ahead after it’s Sun Microsystems takeover? What if Oracle seized to exist? These questions may sound hypothetical but what if any of this ever turned true for you or your company or your country?

A possible solution to the above problem is FOSS (Free and Open-Source Software). While it is true that several FOSS projects and websites comply by U.S. Export regulations (denying rights to download and use software in sanctioned countries like Cuba) [32][33][34], this is still better than having a monopoly control the most popular development platform on the planet!

The following section discusses some important events in the efforts to build an alternate Java Development Kit. Unfortunately for Apache Harmony the journey was anything but harmonious. The other alternative is the GPL licensed OpenJDK which is supported by Oracle. Beside these two, others haven’t made much progress.

Oracle Java is licensed under Oracle License. While Java is free the Sun/Oracle license agreement is not consider compatible with Open Sourced licenses [37].

Unfortunately Apache Harmony could never really call itself Java compatible because Sun refused to honor the JSPA (Java Specification Participation Agreement) which would give Apache harmony project access to the Technology Compatibility Kit (TCK), a per-requisite of which is needed before an implementation can call itself Java [38].

The famous open letter from Apache to Sun in which Geir Magnusson Jr, the then VP of the Apache Harmony project that the “IP right” restrictions on the “field of use” was unacceptable [42].

Subsequently Sun was taken over by Oracle who maintained a tough stance. ASF was even subpoenaed in the Oracle lawsuit against Google over claimed Java patient and copyright violations by Google Android’s mobile operating system [39].

Oracle’s block on Apache Harmony receiving the Java TCK saw ASF walk out of the JCP (Java Community Process) [43].

The final nail in the coffin for Apache Harmony was when IBM announced its intentions to join the OpenJDK project the open source Java runtime effort led by Oracle [40]. OpenJDK is licensed under “GNU General Public License, version 2, with the Classpath Exception” [41].

On Nov 16th, 2011 the battle of Open Source Java was won by OpenJDK as Apache Harmony, voted to move the project to the “Attic” [36].

Besides being a clean-room “viral-free” implementation of JDK and JVM, Apache Harmony strove to provide modularity (note: here viral refers to the license agreement). Packages were modularized and broken into separate units such that a subset of the Java API could be bundled with the implementation – this was a great benefit to systems with memory constraints like embedded systems [38].

OpenJDK

OpenJDK is the open-source implementation of Oracle Java SE. It is licensed under GPLv2 with classpath exception [44]. It was historically licensed under OpenJDK Binary License [44].

The following license agreement is present in the Java sources that are made available as a part of the OpenJDK project.

In Java files [45],

/** Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.** This code is free software; you can redistribute it and/or modify it* under the terms of the GNU General Public License version 2 only, as* published by the Free Software Foundation. Oracle designates this* particular file as subject to the "Classpath" exception as provided* by Oracle in the LICENSE file that accompanied this code.** This code is distributed in the hope that it will be useful, but WITHOUT* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License* version 2 for more details (a copy is included in the LICENSE file that* accompanied this code).** You should have received a copy of the GNU General Public License version* 2 along with this work; if not, write to the Free Software Foundation,* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.** Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA* or visit www.oracle.com if you need additional information or have any* questions.*/

In Shell scripts for building the project [46],

#
# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Oracle designates this
# particular file as subject to the “Classpath” exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit http://www.oracle.com if you need additional information or have any
# questions.
#

IBM abandoning Apache Harmony and joining the OpenJDK project was a huge gain for OpenJDK. While this was welcomed by many in the community as an act to unify efforts [48], the fact is a significant project Apache Harmony died and that was a loss of one choice for the community.

Besides Apache License V2 is more liberal when compared to GPLv2. For starters Apache license grants copyrights and patents by each past contributor to Apache source code. So code that uses software licensed under Apache can be licensed under other licenses including proprietary commercial licenses. On the other hand GPL by many is viewed as a “viral license” – as in any software developed from source code licensed under GPL would be automatically licensed under GPL, making it difficult to use GPL licensed source code for commercial implementations [47].

Recommendations

Java in the browser

Like any other software as a thumbs rule “if you don’t need it don’t keep it”. So if you don’t think you use Java, you should consider getting it uninstalled.

If you are not sure if you need Java, you may start by first disabling Java. Windows users can do so from the Java Control Panel [49].

If you use Java, say for work – exercise caution when “Trusting” sites that ask permission to run a Java applet.

Most importantly protect the system by installing latest Anti-Virus, Firewall and IDPS (Intrusion Detection and Prevention System) programs that have updated definitions (where applicable). In the Evil Applet section demonstrated above – the attack could have been prevented if the Anti-Virus was enabled (see Illustration 10: Anti-Virus warning while accessing the Evil Applet).

Illustration 10: Anti-Virus warning while accessing the Evil Applet

Java and Business Continuity

The Java ecosystem is full of innovative open-source supporting communities. Support these communities and encourage true open source principles and liberal licenses.

Participate in the best possible open sourced project alternatives available currently like OpenJDK and IcedTea.

Don’t put all your eggs in one basket – several programming languages and platforms could be used on the server side and would integrate very well with the existing Java infrastructure.

Conclusion

Java has been enjoying popularity for more than a decade and the popularity is expected to grow in the years to come, with this, it increasingly important to the information assurance, development and business communities to be on top of the latest developments in the area. The right Media, Business and Government to security and licensing issues bring the best out of many software projects. No software is completely secure and Java is no exception, with educated implementation of technology and well architect-ed business process reliance on technology, one can ensure Information Assurance for the vast spread of technology services and implementation that are based on the Java platform today.